\input{gl2.slide-header-beamer}
\errorcontextlines=99
%% Subtopic Number = '1.114.3'
%     * 1.114.3 Setup user level security
%       Modified: 2003-Mar-17
%       Maintainer: [49]Mark Miller
%       Weight: 1
%       Description: Candidate should be able to configure user level security.
%       Tasks include limits on user logins, processes, and memory usage.
%       Key files, terms, and utilities include:
%       quota
%       usermod

% \title{\textsf{[2] } \\[2mm]\large  \textsf{(Linux Professional
% Institute Certification)}\\[1mm]\normalsize}
\title{1.114.3\\Setup user level security\\Weight 1}
\author[Geoff Robertson]{Geoffrey Robertson \texttt{ge@ffrey.com} \and Nick Urbanik \texttt{nicku@nicku.org}\\
 {\tiny This document Licensed under GPL---see section~\ref{sec:license}}}
\subtitle{Linux Professional Institute Certification --- 102}%
\mode<article>{\chead{1.114.3}}%

% TODO:
% Still needs stuff about many other things besides quotas.
% Add stuff about ulimit.

\begin{document}
\maketitle
\mode<article>{\thispagestyle{empty}}

\begin{frame}
  \frametitle{Outline}
  \mode<presentation>
  {%
    %\footnotesize
    \begin{multicols}{2}
      \tableofcontents
    \end{multicols}
    % You might wish to add the option [pausesections]
  }%
  \mode<article>
  {%
    \tableofcontents
  }%
\end{frame}

\section{Context}
\label{sec:context}

\begin{frame}
  \frametitle{Topic 114 Security [8]}%
  \framesubtitle{Where we are up to}%
  \begin{description}
  \item[1.114.1] Perform security administration tasks [4]
  \item[1.114.2] Setup host security [3]
    % \uline depends on \usepackage[normalem]{ulem}:
  \item[1.114.3] \textbf{\uline{Setup user level security [1]}}
  \end{description}
\end{frame}


\section{Objective}
\label{sec:objective}

\begin{frame}
  \frametitle{Description of Objective}%
  \framesubtitle{1.114.3\ \ Setup user level security [1]}%
  \mode<presentation>{\Large}%
  Candidate should be able to configure user level security.  Tasks
  include limits on user logins, processes, and memory usage.
\end{frame}
 
\begin{frame}[fragile]
  \frametitle{Key files, terms, and utilities include:}%
  \framesubtitle{1.114.3\ \ Setup user level security [1]}%
  \mode<presentation>{\Large}%
\begin{description}
 \item[\texttt{quota}] --- display disk usage and limits
 \item[\texttt{usermod}] --- can modify expiry date of an account, and
   can disable an account
\end{description}
\end{frame}

% \begin{frame}[fragile]
%   \frametitle{Setup User Level Security [1]}
%   \framesubtitle{Resources of interest}
%   \begin{description}
%   \item[TBA] 
% \begin{semiverbatim}
  
% \end{semiverbatim}
% \end{description}
% \end{frame}

\section{Enabling Quotas}
\label{sec:enabling-quotas}

\begin{frame}[fragile]
  \frametitle{Set and View Disk Quotas}
  \framesubtitle{Enabling Quotas}
  \begin{itemize}
    \pause
  \item
    % \reveal
    Add the \texttt{userquota} and \texttt{grpquota} options in
    \texttt{/etc/fstab}:
\begin{semiverbatim}
/dev/hda2  /home  ext3  defaults,usrquota,grpquota  1 2    
\end{semiverbatim}
\pause
%\reveal
\item Create the quota.user and quota.group files:
\begin{semiverbatim}
fehung:~# touch /home/quota.user /home/quota.group
fehung:~# chmod 600 /home/quota.user /home/quota.group     
\end{semiverbatim}
 \pause
\item
%\reveal
  Initialise the \texttt{quota.*} files as databases by running
  \texttt{quotacheck}:
\begin{semiverbatim}
fehung:/home# quotacheck -augv
Cannot get exact used space... Results might be inaccurate.
quotacheck: Scanning /dev/hda2 [/home] done
quotacheck: Checked 143 directories and 689 files
\end{semiverbatim}
\end{itemize}
\end{frame}

%\subsection{Set and View Disk Quotas}
%\label{sec:set-and-view-quotas}


\begin{frame}[fragile]
  \frametitle{Set and View Disk Quotas}%
  \framesubtitle{Enabling Quotas \textit{ctd\ldots}}%
  \begin{itemize}
    \pause
  \item 
    % \reveal
    Confirm that the databases have actually been initialised by making
    sure that the \texttt{quota.*} files are larger than 0.
    \pause
  \item 
    % \reveal
    Run quotaon to enable the quota system:
\begin{semiverbatim}
fehung:/home# quotaon -a    
\end{semiverbatim}
    \pause%
  \item 
    % \reveal
    There are two further things to deal with:
    \begin{enumerate}
      \pause
    \item 
      % \reveal
      Turn on quota is turned at boot time. (details next slide)
      \pause
    \item
      % \reveal
      Check the data base regularly. (details next slide)
    \end{enumerate}
    \pause
  \item
    % \reveal
    The filesystem (in this case /home) is now ready to accept
    quotas on a per user or group basis.
  \end{itemize}
\end{frame}


\subsection{Initialising Quotas when booting}
\label{sec:initialising}


\begin{frame}[fragile]
  \frametitle{Set and View Disk Quotas}%
  \framesubtitle{Initialising Quotas when booting}%
  To ensure quota is turned on upon system boot, add the following to
  the system's initialisation script (\texttt{/etc/rc.d/rc.sysinit} or
  similar):
  \par%
  {\mode<presentation>{\small}
\begin{semiverbatim}
if [ -x /sbin/quotacheck ]; then
   echo "Checking quotas."
   /sbin/quotacheck -auvg
   echo "Done."
fi

if [ -x /sbin/quotaon ]; then
   echo "Enabling quotas."
   /sbin/quotaon -avug
fi      
\end{semiverbatim}
  }
\end{frame}

\subsection{Check quotas regularly with \texttt{cron}}
\label{sec:check-quotas-with-cron}

\begin{frame}[fragile]
  \frametitle{Set and View Disk Quotas}%
  \framesubtitle{Check the Quota database Regularly with
    \texttt{cron}}%
  To ensure that the databases are checked regularly, add a script to
  one of the crontab system directories, (such as /etc/cron.weekly/)
  to run quotacheck:
\begin{semiverbatim}
#!/bin/bash 
/sbin/quotacheck -auvg      
\end{semiverbatim}
  or a job in crontab to achieve the same thing.
\end{frame}

\section{Quota Limits}
\label{sec:quota-limits}

%\begin{frame}[<+->]
\begin{frame}
  % \frametitle{Set and View Disk Quotas}%
  \frametitle{Quota Limits}%
  There are five types of quota limits that can be enforced:
  \begin{itemize}
  \item Per-user hard limit
  \item Per-group hard limit
  \item Per-user soft limit
  \item Per-group soft limit
  \item Grace Period
  \end{itemize}
\end{frame}

\subsection{Hard Limit---User}
\label{sec:hard-limit-user}

\begin{frame}
  % \frametitle{Set and View Disk Quotas}
  \frametitle{Quota Limits---Per-user hard limit}
  \begin{itemize}
  \item absolute maximum of a user's allocated space
  \item user cannot write anything else to the filesystem when reached
  \item write to current file is truncated
  \item user can free space and save file if program has a copy of the
    file in memory
  \end{itemize}
  % This is the absolute maximum of a users allocated space, once reached
  % the user cannot write anything else to the filesystem, and the
  % currently worked upon file if saved is truncated and useless. The user
  % doesn't lose what is in the current shell, so they can free up some
  % space and then save the file.
\end{frame}

\subsection{Hard Limit---Group}
\label{sec:hard-limit-group}

\begin{frame}[fragile]
%\frametitle{Set and View Disk Quotas}
  \frametitle{Quota Limits---Per-group hard limit}
  \begin{itemize}
  \item absolute maximum of a group's allocated space
  \item members of the group cannot write anything else to the
    filesystem when reached
  \item write to current file is truncated
  \item user in the group can free space and save file if program has a
    copy of the file in memory
  \end{itemize}
  % This is the absolute maximum of a groups allocated space, once reached
  % the group cannot write anything else to the filesystem, and the
  % currently worked upon file if saved is truncated and useless. Users in
  % the group don't lose what is in the current shell, so they can free up
  % some space and then save the file.
\end{frame}

\subsection{Soft Limit---User}
\label{sec:soft-limit-user}

\begin{frame}[fragile]
  % \frametitle{Set and View Disk Quotas}
  \frametitle{Quota Limits---Per-user soft limit}
  \begin{itemize}
  \item Less than hard limit
  \item When reached, user enters \alert{grace period}
  \item User gets warnings on terminal that quota has been exceeded
  \end{itemize}
  % An abstract limit enforced on users that is less than the hard
  % limit, and once reached, the user enters the grace period. After
  % the soft limit has been reached the user starts getting warnings
  % printed on the terminal that the quota has been exceeded.
\end{frame}

\subsection{Soft Limit---Group}
\label{sec:soft-limit-group}

\begin{frame}[fragile]
  % \frametitle{Set and View Disk Quotas}
  \frametitle{Quota Limits---Per-group soft limit}
  \begin{itemize}
  \item Less than hard limit
  \item When reached, group enters \alert{grace period}
  \item Members of the group get warnings on terminal that quota has
    been exceeded
  \end{itemize}
  % An abstract limit enforced on groups that is less than the hard
  % limit, and once reached, the group enters the grace period. After
  % the soft limit has been reached the group starts getting warnings
  % printed on the terminal that the quota has been exceeded.
\end{frame}

\subsection{Grace Period}
\label{sec:grace-period}

\begin{frame}[fragile]
  % \frametitle{Set and View Disk Quotas}
  \frametitle{Quota Limits---Grace Period}
  \begin{itemize}
  \item Grace period is a time before the hard limit is enforced
  \item \blue{regardless of whether the hard limit is reached}
  \item \ldots\,unless the user gets their quota down bleow the soft
    limit in that time
  \end{itemize}
  % Once a soft limit has been reached the user/group enters the grace
  % period which is an abstract time before the hard limit is
  % enforced, regardless of whether the hard limit is reached
  % (assuming the user doesn't get their quota down below the soft
  % limit in that time).
\end{frame}

\section{Configuring Quotas with \texttt{edquota}}
\label{sec:configuring-quotas}

\begin{frame}[fragile]
  \frametitle{Set and View Disk Quotas}%
  \framesubtitle{Setting up and configuring quotas}%
  \begin{itemize}
  \item %\pause
    % \reveal
    The next move is to edit the quota reference for each user. We can
    get around this with scripts, but essentially this is not nice :)
  \item %\pause
    % \reveal
    We can actually edit the quota of a typical user on our system and
    then copy the attributes of that users quota to other users, as
    follows:
\begin{semiverbatim}
fehung:/home/greebo# edquota greebo
\end{semiverbatim}
\item %\pause
  % \reveal
  This edits the quota for user greebo, in this file we change the
  soft and hard limits to whatever we choose, example:
\begin{semiverbatim}
Disk quotas for user greebo (uid 1000):
Filesystem  blocks   soft   hard  inodes   soft   hard
/dev/hda2      538  29000  30000     689      0      0
\end{semiverbatim}
   \end{itemize}
\end{frame}

% \section{Configuring Quotas with \texttt{edquota}}
% \label{sec:configuring-quotas}

\begin{frame}[fragile]
  \frametitle{Set and View Disk Quotas}%
  \framesubtitle{Configuring Quotas}%
  \begin{itemize}
  \item %\pause
    % \reveal
    The first soft and hard values are relevant to blocks and the
    second to inodes, here the user has a block soft and hard limit
    but no inode limit .
  \item %\pause
    % \reveal
    We can then attribute these settings to the rest of the users
    thus:
\begin{verbatim}
fehung:/home/greebo# edquota -p greebo $(awk -F: '$3 > \
999 { print $1 }' /etc/passwd)
\end{verbatim}%$
    and can confirm this worked by running 
    \par
    \cmdbox{sudo edquota \meta{randomuser}} 
    \par
    to see whether the new settings copied across.
  \item \pause
%\reveal
    We can only modify the grace limit system wide. We do this by
    running \rootcmd{edquota -tu}, and changing the value.
  \end{itemize}
\end{frame}

\section{Viewing quotas with \texttt{quota}}
\label{sec:quota}

\begin{frame}[fragile]
  \frametitle{Set and View Disk Quotas}%
  \framesubtitle{Quota commands: \texttt{quota(1)}}%
  \texttt{quota} is used to display quotas on users and groups, using
  the -u switch for users and -g switch for groups:
  \mode<article>{\small}%
  \mode<presentation>{\small}%
\begin{semiverbatim}
fehung:/home\rootcmd{quota -uv greebo}
Disk quotas for user greebo (uid 1000): 
Filesystem  blocks  quota  limit  grace  files  quota  limit  grace
 /dev/hda2     538  29000  30000           689      0      0     
\end{semiverbatim}
\end{frame}

\section{Turning quotas on and off}
\label{sec:quotaon-quotaoff}

\begin{frame}[fragile]
  \frametitle{Set and View Disk Quotas}%
  \framesubtitle{Quota commands: \texttt{quotaon(1)}}%
  \texttt{quotaon} turns on the quota system, quotaoff turns it off. Easy!
\end{frame}

\section{repquota}
\label{sec:repquota}

\begin{frame}
  \frametitle{Set and View Disk Quotas}%
  \framesubtitle{Quota commands: \texttt{repquota(1)}}%
  \texttt{repquota} reports on the status on quotas. Common options
  are as follows:
  \par\medskip\par
  \begin{tabular}{@{}>{\ttfamily}ll@{}}
    -a  &    reports on all quotas\\
    -g  &    reports on group quotas\\
    -u  &    reports on user quotas\\
    -v  &    verbose mode
  \end{tabular}
  \par\medskip\par
  Examples:
  \cmdbox{sudo repquota -v /home}
  \par
  or
  \par
  \cmdbox{sudo repquota -a}
\end{frame}

\section{License Of This Document}
\label{sec:license}

\begin{frame}
  \frametitle{License Of This Document}%
  \raggedright%
  Copyright \copyright\ 2005, 2003 Geoffrey Robertson <ge@ffrey.com>
  and Nick Urbanik <nicku@nicku.org>.
  \par%
  Permission is granted to make and distribute verbatim copies or
  modified versions of this document provided that this copyright
  notice and this permission notice are preserved on all copies under
  the terms of the GNU General Public License as published by the Free
  Software Foundation---either version 2 of the License or (at your
  option) any later version.
\end{frame}
\end{document}